Securing to Compliance w/ iPads and Tablets in a PCI world

A growing and undeniable trend is the consumerization of devices. The usage of iPads and tablets in the enterprise and corporate board room is rapidly growing. Anecdotally, 90% of 1st class on my last 10 flights were using iPads, and the last CxO work session 50%. Recent stats show 95% of tablet traffic is from iPads. Needless to say these devices are here to stay and information security professionals must adopt rapid models to Enable-Securely these end-points. It is not possible, practically, to simply block or deny the use of these devices, as the enterprise value will continue to increase. In addition, most organizations see these devices being utilized even with no policies, no technology enabling their usage, and no methods of risk awareness (let alone risk assessment, risk treatment).

I was recently asked how the usage of these devices in an enterprise would effect their PCI compliance state, and the security risks in general. Now I feel there are a lot of ‘it depends’ and assumptions that are necessary with such a fragile Use Case, but lets entertain the following question.

What risks should enterprises be aware of as it relates to these devices, and in particular sustaining their security program in a compliant manner that satisfies, such things as, PCI DSS?

Risks to consider, at least:

Who owns the data? When data is transferred or created on another device, who owns it? This is important with forensic investigations; liability; and rights of usage laws. This question on the surface with a consumer purchased iPad is one example, the actual in-store App purchases themselves are another example, but what of using Cloud enabled services (the Apps installed on the tablets themselves) – the necessity of understanding data ownership extends and rapidly becomes complex.

White list ; Black lists on service providers may be helpful here. At the minimum understanding who owns the data; how responses will be managed; and guiding principles (that can be monitored w/ metrics) on usage of third party devices/apps/services would be key.

All the security in the world can be bypassed with physical access, so devise a “when lost do x” plan; ensure configurations exist to support that activity, and establish a protocol for the Cloud provider accounts linked to device

The above is directed at the device itself being lost (such as left on a plane), but when the device syncs with the home computer (who owns this computer and how secure is it?) usually the ENTIRE device is backed up as one large compressed file. This file can be loaded in a host environment and provide access w/o the device. Consideration of these sync systems is critical (note this is not iCloud or DropBox as those are over the air and this risk is aimed at over the wire activities)

Accept that sensitive data is residing on these devices – confidential; proprietary; sensitive; etc … Plan accordingly. Instituting careful data management can ensure that such data is enabled through channels that are secure on these devices and repositories that match the data risk and device exposure risk.

(PCI considerations) If this device is being used as a point of sale terminal, than the common care and management utilized is appropriate. If the device is part of the Card Data Network w/o being key to the transaction, than perhaps some segmentation efforts would simplify the broader risks (if all end points are in the card data environment this is probably a larger problem than the population of iPads). The same safeguards on the technology deployed with consideration of Sensitive data (prior item) can satisfy the requirements of PCI DSS, so a non-issue when deployed “appropriately”.

Mobile security safeguards and policies will not reflect the common computing system policies, as the use cases are different and there exists different advantages. A nice point raised by Dave Whitelegg that mobile policies that enforce the complexity (alpha; upper/lower case; and special symbols) on a tablet would kill (my word) a key attractor of the tablets. Therefore some balance needs to be achieved. This is also true when deploying such applications such as “Good for Enterprise”. The multi-layer password sandbox approach is the wrong approach in many cases, as it violate the first principle above and may not enable users sufficiently to prevent the Ghost-IT specter.

The risk assessment of these devices within the enterprise must consider beyond the simple hardware and operating system (both important to understand and consider), but must also consider the applications installed and the risk of converging these applications.

Applications – How are these applications handling data? How are the applications leveraging / integrating with other third parties (i.e., linking to DropBox)? How are these applications transmitting data, and what data is being transmitted (the Pulse full contact list transmission comes to mind here, a technically permitted activity but unexpected)? Finally, how are those applications managing the data once received (note: we are not stating that they are securing the data, but first must understand how they are managing it and then ultimately whether they should be securing it .. demonstrating this security .. and continue such security)

Ultimately these emerging (emerged?) devices require the care and attention of all elements of the computing environment, and it is the opportunity and task at hand to influence and sustain a secure computing environment – with each type of advice.

On the question of can these devices be deployed within a card data environment and or be used in commerce… the answer is yes, of course with the proper care and awareness.

There is an emerging market on enabling these devices in the enterprise. As I identify any of interest I’ll include them below (I have not vetted these so consider this a simple index if you will):